News

DrayTek Patches RCE Vulnerability in Routers

DrayTek, a networking equipment manufacturer, has issued a warning about a critical vulnerability affecting several models of its Vigor routers. The flaw allows remote, unauthenticated attackers to execute arbitrary code on affected devices.

The vulnerability, tracked as CVE-2025-10547, was discovered earlier this year by security researcher Pierre-Yves Maes of ChapsVision.

“The vulnerability is triggered when unauthenticated remote attackers send specially crafted HTTP or HTTPS requests to the device’s web interface,” reads DrayTek’s security bulletin. “Successful exploitation can lead to memory corruption and system crashes, and under certain circumstances, may allow remote code execution.”

According to DrayTek, exposure to the vulnerability can be reduced by disabling remote access to the web interface and restricting SSL VPN access via ACL or VLAN. However, the web interface remains accessible via LAN, leaving the router potentially exposed to local attacks.

Maes explained to BleepingComputer that the root cause of CVE-2025-10547 lies in an uninitialized value on the stack, which can be exploited to force the free() function to operate on arbitrary memory regions — a condition known as arbitrary free() — ultimately leading to remote code execution.

The researcher confirmed he had successfully tested the flaw using a proof-of-concept exploit on a vulnerable device. He plans to release full technical details of the vulnerability later this week.

DrayTek has released patched firmware for all affected models. The company strongly recommends users update their routers to the following versions or later:

Vigor1000B, Vigor2962, Vigor3910/3912 → 4.4.3.6 or newer (4.4.5.1 for some models)
Vigor2135, Vigor2763/2765/2766, Vigor2865/2866 Series (LTE/5G), Vigor2927 Series (LTE/5G) → 4.5.1 or newer
Vigor2915 Series → 4.4.6.1 or newer
Vigor2862/2926 Series (LTE) → 3.9.9.12 or newer
Vigor2952/2952P, Vigor3220 → 3.9.8.8 or newer
Vigor2860/2925 Series (LTE) → 3.9.8.6 or newer
Vigor2133/2762/2832 Series → 3.9.9.4 or newer
Vigor2620 Series → 3.9.9.5 or newer
VigorLTE 200n → 3.9.9.3 or newer

Users should also verify that remote web management and VPN access are restricted only to trusted IPs and that firmware updates are applied as soon as possible.

FBI Seizes Another BreachForums Domain; Hackers Admit the “Era of Forums Is Over”

The FBI has seized another version of the notorious hacker forum BreachForums, taking control of the domain BreachForums[.]hn a site used to leak data from at least 39 organizations affected by the recent Salesforce-related breaches. According to threat actors behind the forum, law enforcement not only took the site

Forensics Tool Velociraptor Used to Deploy LockBit and Babuk Ransomware

Cisco Talos researchers have warned that Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, is being repurposed by LockBit and Babuk ransomware operators to deploy malware and maintain persistence in compromised networks. Velociraptor is an open-source DFIR utility originally developed by security researcher Mike Cohen and later acquired

Anthropic Finds That Just 250 Malicious Documents Can Poison a Large Language Model

Researchers at Anthropic, working with the UK government’s AI Safety Institute, the Alan Turing Institute, and several academic partners, have demonstrated that as few as 250 maliciously crafted documents are enough to poison a large language model (LLM) — causing it to produce incoherent text whenever it encounters a specific

Read next